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The effective usages of computational resources are a primary concern of up-to-date distributed appli- 
cations. In this paper, we present a methodology to reason about resource usages (acquisition, release, 
revision, ...), and therefore the proposed approach enables to predict bad usages of resources. Keep- 
ing in mind the interplay between local and global information occurring in the application-resource 
interactions, we model resources as entities with local policies and global properties governing the 
overall interactions. Formally, our model takes the shape of an extension of ^-calculus with primi- 
tives to manage resources. We develop a Control Flow Analysis computing a static approximation of 
process behaviour and therefore of the resource usages. 

1 Introduction 

Evolutionary programming paradigms for distributed systems changed the way computational resources 
are integrated into applications. Resources are usually geographically distributed and have their own 
states, costs and access mechanisms. Moreover, resources are not created nor destroyed by applications, 
but directly acquired on-the-fly when needed from suitable resource rental services. Clearly, resource 
acquisition is subject to availability and requires the agreement between client requirements and ser- 
vice guarantees (Service Level Agreement - SLA). The dynamic acquisition of resources increases the 
complexity of software since the capability of adapting behaviour strictly depends on resource availabil- 
ity. Ubiquitous computing [1] and Cloud computing (8][T6j|2l provide illustrative examples of a new 
generation of applications where resource awareness has been a major concern. 

The design of suitable mechanisms to control the distributed acquisition and ownership of com- 
putational resources is therefore a great challenge. Understanding the foundations of the distributed 
management of resources could support state-of-the-art advances of programming language constructs, 
algorithms and reasoning techniques for resource-aware programming. In the last few years, the problem 
of providing the mathematical basis for the mechanisms that support resource acquisition and usage has 
been tackled by several authors (see e.g. (3l|7l[T3l[TTl[T5l, to cite only a few). 

Here we consider a programming model where processes and resources are distinguished entities. 
Resources are computational entities having their own life-cycle. Resources can range from compu- 
tational infrastructures, storage and data services to special-purpose devices. Processes dynamically 
acquire the required resources when available, but they cannot create any resource. This simple pro- 
gramming model abstracts the features of several interesting distributed applications. As an example, let 
us consider a cloud system offering computing resources. The available resources are the CPU units of a 
given power and processes can only acquire the CPU time, when available, to run some specialised code. 
Similar considerations apply to storage services, where client processes can only acquire slots of the 
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available storage. In our programming model, the deployed resources can be dynamically reconfigured 
to deal with resource upgrade, resource un-availability, security intrusion and failures. A distinguished 
feature of our approach is that the reconfiguration steps updating the structure of the available resources 
are not under the control of client processes. 

In this paper, we introduce the formal basis of our programming model. Specifically, we introduce 
a process calculus with explicit primitives for the distributed ownerships of resources. In our calculus, 
resources are not statically granted to processes, but they are dynamically acquired on-the-fly when they 
are needed. 

We start from the TT-calculus lfl4l and we extend it with primitives to represent resources and the 
operations to acquire and release resources on demand. Central to our approach is the identification of an 
abstract notion of resource. In our model, resources are stateful entities available in the network environ- 
ment where processes live. Specifically, a resource is described through the declaration of its interaction 
endpoint (the resource name), its local state and its global properties. Global properties establish and 
enforce the SLA to be satisfied by any interaction the resource engages with its client process. The global 
interaction properties can be expressed by means of a suitable resource-aware logic in the style of li3l. or 
contract-based logic as in lfT0l l4l. The interplay between local and global information occurring in the 
process-resource interactions motivates the adjective G-Local given to our extension of the TT-calculus. 

Since we build over the 7i-calculus, name-passing is the basic communication mechanism among 
processes. Beyond exchanging channel names, processes can pass resource names as well. Resource 
acquisition is instead based on a different abstraction. In order to acquire the ownership of a certain 
resource, a process issues a suitable request. Such request is routed in the network environment to the 
resource. The resource is granted only if it is available. In other words the process-resource interaction 
paradigm adheres to the publish-subscribe model: resources act as publishers while processes act as 
subscribers. Notice that processes issue their requests without being aware of the availability of the 
resources. When they have completed their task on the acquired resource they release it and make it 
available for new requests. The two-stage nature of the publish-subscribe paradigm relaxes the inter- 
dependencies among computational components thus achieving a high degree of loose coupling among 
processes and resources. In this sense our model also resembles tuple-based systems [12]. Consequently, 
our model seems to be particularly suitable to manage distributed systems where the set of published 
resources is subject to frequent changes and dynamic reconfigurations. 

To summarise, our approach combines the basic features of the 7i-calculus (i.e. dynamic communi- 
cation topology of processes via name passing) with the publish-subscribe paradigm for the distributed 
acquisition of resources. This is our first contribution. The interplay between local and global views is 
also one of the novel features of our proposal. A second contribution consists in the development of a 
Control Flow Analysis (CFA) for our calculus. The analysis computes a safe approximation of resource 
usages. Hence, it can be used to statically check whether or not the global properties of resources usages 
are respected by process interactions. In particular, it helps detecting bad usages of resources, due to 
policy violations. This suggests where are sensible points in the code that need dynamic check in order 
to avoid policy violations. 

Related Work. The primitives for resource management make our approach easy to specify a wide range 
of the resource behaviour of distributed systems such as Cloud Computing and Ubiquitous Computing. 
We believe that our approach also leverages analysis technique such as CFA and behavioural types. A 
simplified version of the G-Local TT-calculus has been presented in [6]. The work presented here differs 
in several ways from the previous one. The version of the calculus we considered in this paper is more 
expressive of the one presented in [6] since here processes can pass resource names around. This feature 
was not allowed in [6]. Also, the management of resource acquisition and release is much more powerful. 
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P,P' 



processes 
empty process 
prefix action 
restriction 
choice 

parallel composition 
resource joint point 
resource request point 
replication 



action prefixes 





7Z.P 



T internal action 

x(w) free input 



(vz)P 



xw free output 



P + P' 
P II P' 



a(r) access action 



rel(r) release action 



(r,q>,r]){P} 
req(s){P} 



\P 



Figure 1 : The syntax of G-Local 7i-calculus. 



In Q an extension of the A -calculus is proposed to statically verify resource usages. Our notion 
of global usages is inspired by this work. The 7T-calculus dialect of |[T3l provides a general framework 
for checking resource usages in distributed systems. In this approach private names are extended to 
resources, i.e. names with a set of traces to define control over resources. Also resource request and 
resource release are simulated through communicating private names and structural rules respectively. 
This gives shared semantics of resources, i.e. several processes can have a concurrent access to resources 
(by communicating private names). In our approach, when a process obtains a resource, it has an exclu- 
sive access to it. Furthermore, resource entities can be dynamically reconfigured, while this is not the 
case in f!3l . 

In ifTTI . resources form a monoid and the evolution of processes and resources happens in a SCCS 
style. In our approach, resources are independent stateful entities equipped with their own global inter- 
action usage policy. A dialect of the % -calculus, where resources are abstractly represented via names 
and can be allocated or de-allocated has been introduced in ifTBI . In this approach reconfigurations steps 
are internalized inside processes via the operations for allocating and de-allocating channels. A type 
system capturing safe reconfigurations over channels has been introduced. In our approach resources 
are more structured than channels and their reconfiguration steps are not under the control of processes. 
Finally, the work presented in [?] mainly focuses on specifying SLA by describing resources as suitable 
constraints. Our approach can exploit constraints to express global resource usages as well. 



Syntax We consider the monadic version of 71-calculus 11141 extended with suitable primitives to de- 
clare, access and dispose resources. The syntax is displayed in Fig.Q] Here, M is a set of channel names 
(ranged over by x,y,z), TZ is a set of resource names (ranged over by r,s,t) and A is a set of actions 
(ranged over by a,j8) for running over resources. We assume that these sets are pairwise disjoint. From 
now on, for the sake of simplicity, we often omit the trailing 0. 

The input prefix x(w).P binds the name w (either a channel or a resource) within the process P, while 
the output prefix xw.P sends the name w along channel x and then continues as P. Note that resource 
names can be communicated, however they cannot be used as private names and used as channels. As 
usual, input prefixes and restrictions act as bindings. The meaning of the remaining operators is standard. 
The notions of names n(), free names fn(), bound names bn() and substitution {-/-} are defined as 
expected. 

Our extension introduces resource-aware constructs in the 7i-calculus. The access prefix a(r) models 
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the invocation of the operation at A over the resource bound to the variable r. Traces, denoted by rj , 77 ' e 
A*, are finite sequences of events. A usage policy is a set of traces. The release prefix rel(r) describes 
the operation of releasing the ownership of the resource s. In our programming model, resources are 
viewed as stateful entities, equipped with policies constraining their usages. More precisely, a resource 
is a triple (r, (p, rj ), where r e 1Z is a resource name, (p e <I> is the associated policy and rj £ A* is a state (£ 
denotes the empty state). Policies specify the required properties on resource usages. Policies are usually 
defined by means of a resource-aware logic (see [3]|4l[9j[l0]]), while states keep track of the sequence of 
actions performed on resources, by means of (an abstraction of) execution traces. 

For instance, in 0, the policies are expressed in terms of automata over an infinite alphabet, where 
automata steps correspond to actions on resources and final states indicate policy violations. 

To cope with resource-awareness, we introduce two primitives managing resource boundaries: re- 
source joint point (r, q>, rj ) {P} and resource request point req(r) {P}. Intuitively, process P when plugged 
inside the resource boundary (r, (p,rj){P} can fire actions acting over the resource r. The state rj is 
updated at each action a(r) according to the required policy (p. A resource request point req(r){P} 
represents a process asking for the resource r. Only if the request is fulfilled, i.e. the required resource is 
available, the process can enter the required resource boundary and can use the resource r, provided that 
the policy is satisfied. Processes of the form (r, <p, T]){0} represent available resources. These processes 
are idle: they cannot perform any operation. In other words, resources can only react to requests. 

Example 2.1 To illustrate the main features of the calculus, we consider a small example, which de- 
scribes a workshop with two hammers and one mallet. Tools are modelled as resource entities: hammer 
and mallet, with the policy (p/, ((p m , resp.) that one can only make hard hit (soft hit, resp.) when using 
hammer (mallet, resp.). We model workers as a replicated process, whose instantiations take a hammer 
or a mallet to do jobs, whose chain is described by Jobs. Job arrivals are modelled as sending/receiving 
hammer and mallet on the channels x,y. Furthermore, we assume that there are two types of jobs, hard 
jobs on the channel x and soft jobs on the channel y, which get done by hardJiit and softJiit actions 
respectively. 

The initial configuration of the workshop is given below. Resources (hammer and mallet ) have empty 
traces. Note that we have two resources of the same name hammer, which corresponds to the number of 
available hammers in the workshop. Intuitively, it means that only two jobs, which use hammers, can be 
concurrently done. We have a sequence of four jobs described by the process Jobs. 



Operational semantics The operational semantics of our calculus is defined by the transition relation 
given in Tab.Q] Labels jit, ju' for transitions are % for silent actions, x(w) for free input, xv for free output, 
x(v) for bound output, a(r), air and a(r) (rel(r), rellr and rel(r), resp.) for closed, open and faulty 
access or release actions over resource r. The effect of bound output is to extrude the sent name from the 
initial scope to the external environment. 

We assume a notion of structural congruence and we denote it by =. This includes the standard 
laws of the 7i-calculus, such as the monoidal laws for the parallel composition and the choice operator. 
To simplify the definition of our Control Flow Analysis, we impose a discipline in the choice of fresh 
names, and therefore to alpha-conversion. Indeed, the result of analysing a process P, must still hold 



Tools 
Workers 
Jobs 
Workshop 



(hammer, (p/, , s ) {0} \ (hammer, <p/j , £ ) {0} \ (mallet , (p m , s 
\x(s).req(s){hard_hit(s)}\\y(t).req(t){soft_hit(s)} 
x(hammer) .y (mallet ) .x(mallet ) .x(hammer) .0 
Tools\Workers\Jobs 



){0} 
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(vx)(r,(p,Tj){P} = (r,q>,r]){(vx)P} 
(vx)req(r){P} = req(r){(vx)P} 

(r 2 ,<?>2,T?2){0} || (r h (pi,7]i){P} = (n,9i,77i){(r 2 ,(?>2,Tj2){0} || P} 

Figure 2: Structural congruence. 

for all its derivative processes Q, including all the processes obtained from Q by alpha-conversion. In 
particular, the CFA uses the names and the variables occurring in P. If they were changed by the dynamic 
evolution, the analysis values would become a sort of dangling references, no more connected with the 
actual values. To statically maintain the identity of values and variables, we partition all the names used 
by a process into finitely many equivalence classes. We denote with [n\ the equivalence class of the 
name n, that is called canonical name of n. Not to further overload our notation, we simply write n for 
[n\, when unambiguous. We further demand that two names can be alpha-renamed only when they have 
the same canonical name. 

In addition, we introduce specific laws for managing the resource-aware constructs, reported in 
Fig. |2] If two processes P\ and P2 are equivalent, then also P\ and P2 when plugged inside the same 
resource boundaries are. Resource request and resource joint points can be swapped with the restriction 
boundary since restriction is not applied to resource names but only to channel names. The last law is 
crucial for managing the discharge of resources. This law allows rearrangements of available resources, 
e.g. an available resource is allowed to enter or escape within a resource boundary. 

The rules Act, Par, Res, Comm, Cong, Choice, Open and Close are the standard 7i-calculus ones. 
The rule Act describes actions of processes, e.g. the silent action, free input and free output. Concretely, 
xw.P sends the name w along the channel x and then behaves like P, while x(w).P receives a name via 
the channel x, to which w is bound, and then behaves like P. We only observe that our semantics is a late 
one, e.g. w is actually bound to a value when a communication occurs. Finally, x.P performs the silent 
action t and then behaves like P. 

The rule Par expresses the parallel computation of processes, while the rule Choice represents a 
choice among alternatives. The rule Comm is used to communicate free names. The rules Res and Open 
are rules for restriction. The first ensures that an action of P is also an action of (vz)P, provided that 
the restricted name z is not in the action. In the case of z in the action, the rule Open transforms a free 
output action xz into a bound output action x(z), which basically expresses opening scope of a bound 
name. The rule Close describes communication of bound names, which also closes the scope of a bound 
name in communication. 

We are now ready to comment on the semantic rules corresponding to the treatment of resources. The 
rule ActR models a process that tries to perform an action a (rel, resp.) on the resource r. This attempt is 
seen as an open action, denoted by the label air (rellr, resp.). 

Intuitively, if the process is inside the scope of r (see the rule Local\), and the action satisfies the 
policy for r, then the attempt will be successful and the corresponding action will be denoted by the label 
a(r) (see the rule Policyi). If this is not the case, the process is stuck. Similarly, if the process tries to 
release a resource with the action rel. 

We introduce the rule Comma to model the communication of resource names between processes. 

When a resource r is available, then it can be acquired by a process P that enters the corresponding 
resource boundary (r, (p,rj), as stated by the rule Acquire. 

Symmetrically, according to the rule Release, the process P can release an acquired resource r and 
update the state of its resources by appending rel to r\ . In the resulting process, the process P escapes the 
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(Act) n.P^P %* <x(r),rel(r) (Cong) 

(Par) J^-J bn( J u)nfn(P 2 ) = (Choice) ?l ^f 1 

Pi || P 2 ^P[ || P 2 P 1+ P 2 ^P{ 

P^+P' P^P' 

(Res) z{n(n) (Open) — y*x 

(vz)P^(vz)P' {y y )p^l pl 



P^ P > p^ P ^ P ^p 2 



(Comm) — 2 —) (Close) 



p i II Pi^P[ II PLblz) " ' P\ II p 2 - (vy)(P[ || P 2 '{y/z}) 



Act R (Comm R ) ^ 4- 

rel{r) _P^ P Pi\\ P 2 ^P[\\P!,{r/s} 



(Acquire) req(r){P} || (r,<p, 77){0} ^ (r,(p,T]){P} 

„ ren >' „, 
P »• P 

(Release) 



(r,<p,rj){P}-^*(r,<p,rj.rel){0} \\ P' 



.„ ,. . P—+P' rt.at=<p . . P—+P' ri.atfq) 

(Policy i) — - - (Policy 2 ) 



(r,q>, r,){P} — (r,(p,r].a){P'} (r,<p,n){P} — (r,<p,ri){0} \\ P' 

P^P' P^P' 
(Locah) rtn(n) (Local 2 ) ^n(/i) 

(r,(p,77){P} A (r,(p,r]){P'} req(r){P} ^ req(r){P'} 

(Appear) P i P || (r, <p, 7?){0} (Disappear) (r,<p, 77){P} i 

Table 1: Operational Semantics. 

resource boundary. Furthermore, the resource becomes available, i.e. it encloses the empty process 0. If 
the process is not inside the scope of r (see the rule Local\), then, as in the case of accesses, the process 
is stuck. 

The rules Policy \, Policy 2 check whether the execution of the action a on the resource r obeys the 
policy (p, i.e. whether the updated state r\ .a, obtained by appending a to the current state rj, is consistent 
w.r.t. (p. If the policy is obeyed, then the updated state rj .a is stored in the resource state according to the 
rule Policy 1 and the action becomes closed and if not, then the resource is forcibly released according 
to the rule Policy2 and the action becomes faulty. Notice that Policy^ is the rule managing the recovery 
from bad access to resources. 

The rules Local\ and Locah express that actions can bypass resource boundaries for r only if they 
do not involve the resource r. 

Finally, the rules Appear and Disappear describe the abstract behaviour of the resource manager 
performing asynchronous resource reconfigurations. In other words, resource configuration is not under 
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the control of processes. Resources are created and destroyed by external entities and processes can only 
observe their presence/absence. This is formally represented by the rules Appear and Disappear. 

Example 2.2 To explain the operational semantics, we come back to our running example. The follow- 
ing trace illustrates how the workshop works. At the beginning, Workers instantiates a new worker ( a 
resource request point) when receiving a hard job: 

Workshop 

= Worker s\Tools\x(s) .req(s) {hard -hit (s)} \x(hammer) Jobs' 
-> Workers\Tools\Jobs' \req(hammer) {hard -hit (hammer)}, 

where Jobs' ::= y(mallet) .x(mallet) .x(hammer). At this point the new worker can take a hammer and 
other jobs are also available (on the channel x,y). In the following, for the sake of simplicity, we only 
show sub-processes that involve computation. Assume that the new worker takes a hammer, then we have 
the following transition: 

req(hammer) {hardJiit (hammer) } | (hammer, (p/ u e){0} 
-> (hammer, <j9/, , e) {hard -hit (hammer) } 

Now, three workers are similarly instantiated for doing all remaining jobs. 

Workers\Jobs' 

-> Workers\req(mallet){soft-hit(mallet)}\x(mallet).x(hammer) 

->■ Worker s\req(mallet) {so ft Jut (mallet)}\req(mallet) {hard -hit (mallet). }\x(hammer) 

-> Workers\req(mallet) {soft _hit (mallet)}\req(mallet){hard-hit(mallet)}\req(hammer) {hard-hit (mallet)} 



In the current setting, the new three workers make one request on the remaining hammer and two 
requests on the mallet. Since we have only one mallet, one of two mallet requests could be done at a 
time. Suppose the first job get done first, we have the following transition: 

(hammer, <p/j , £ ) {hard-hit (hammer) } 

hard Jiit (hammer) 

► (hammer, (ph,hard Jiit) {0} 

Note that the hammer is available again. Similarly, the second job is done as follows: 

req(mallet ) {soft -hit (mallet ) } \ (mallet, (p m ,e){0} 
-> (mallet, (p m ,e){so ft Jiit (mallet)} 

soft Jiit (mallet) 

— 1 > (mallet ,(p m , so ftJiit){0} 

If the third job would be processed, then a forced release could occur. This happens because the worker 
attempts to do a hard hit by using a mallet in doing the job, which violates the mallet policy. 

req(mallet ) {hard -hit (mallet). 0}\ (mallet, (p m ,e){0} 
->■ (mallet ,(p m ,e) {hard -hit (mallet ) } 

hard Jiit (hammer) 

► (hammer, (pf t ,e){0}\0 



Finally, the similar trace is for the fourth job. 
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3 Control Flow Analysis 

In this section, we present a CFA for our calculus, extending the one for 7i-calculus [5]. The CFA 
computes a safe over-approximation of all the possible communications of resource and channel names 
on channels. Furthermore, it provides an over-approximation of all the possible usage traces on the 
given resources and records the names of the resources that can be possibly not released, thus providing 
information on possible bad usages. The analysis is performed under the perspective of processes. This 
amounts to saying that the analysis tries to answer the following question: "Are the resources initially 
granted sufficient to guarantee a correct usage?". In other words, we assume that a certain fixed amounts 
of resources is given and we do not consider any dynamic reconfiguration, possible in our calculus, due to 
the rules Appear and Disappear. The reconfiguration is up to the resource manager and is not addressed 
by the CFA. 

For the sake of simplicity, we provide the analysis for a subset of our calculus, in which processes 
enclosed in the scopes of resources are sequential processes (ranged over by Q, Q'), as described by the 
following syntax. Intuitively, a sequential process represents a single thread of execution in which one 
or more resources can be used. 

P,P' :■■= as before in Fig Q] Q,Q' '■'■= sequential processes 
| (r,cp,T7){<2} ^ 

I req(s){Q} \ (vz) Q 

n.Q 

Q + Q' 
(r,<P,ri){Q} 
(r,<p,ri){0}\\Q 
req(s){Q} 

This implies that one single point for releasing each resource occurs in each non deterministic branch 
of a process. The extension to general parallel processes is immediate. Nevertheless, it requires some 
more complex technical machinery in order to check whether all the parallel branches synchronise among 
them, before releasing the shared resource. 

In order to facilitate our analysis, we further associate labels % £ C with resource boundaries as fol- 
lows: (r,(p,rj ) {Q} x and req(r) {Q} x , in order to give a name to the sub-processes in the resource scopes. 
Note that this annotation can be performed in a pre-processing step and does not affect the semantics of 
the calculus. During the computation, resources are released and acquired by other processes. Statically, 
sequences of labels S e C* are used to record the sequences of sub-processes possibly entering the scope 
of a resource. Furthermore, to make our analysis more informative, we enrich the execution traces rj 
with special actions that record the fact that a resource has been possibly: 

• acquired by the process labelled %: in(x), with a successful request; 

• released by the process labelled %: out(%) with a successful release; 

• taken away from the process labelled %: err_out(%) because of an access action on r that does not 
satisfy the policy. 

The new set of traces is A* , where A-Au {in{%),out(%),err_out(%) \ % e £}. The corresponding 
dynamic traces can be obtained by simply removing all the special actions. 

The result of analysing a process P is a tuple (p , fc, T, *F) called estimate of P, that provides an 
approximation of resource behavior. More precisely, p and K offer an over-approximation of all the 
possible values that the variables in the system may be bound to, and of the values that may flow on 
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channels. The component F provides a set of traces of actions on each resource. Finally, *F records a 
set of the resources that can be possibly not released. Using this information, we can statically check 
resource usages against the required policies. 

To validate the correctness of a given estimate (p,K",r,*F), we state a set of clauses that operate 
upon judgments in the form (p, K",r,*P) l= 5 P, where 8 is a sequence of pairs [(r, (p,ri),S], recording the 
resource scope nesting. This sequence is initially empty, denoted by [e,e]. 

The analysis correctly captures the behavior of P, i.e. the estimate (p,K",r,*F) is valid for all the 
derivatives P' of P. In particular, the analysis keeps track of the following information: 

• An approximation p : ffu Ti. -> p (J\[ u 7Z) of names bindings. If a e p (x) then the channel variable 
x can assume the channel value a. Similarly, if r e p (s) then the resource variable s can assume the 
resource value r. 

• An approximation k : N -*■ p(AfuTZ) of the values that can be sent on each channel. If b e k(ci), 
then the channel value b can be output on the channel a, while r e K"(a), then the resource value r 
can be output on the channel a. 

• An approximation F:TZ^p({[((p,r]),S]\ (p e<t>,S e C* ,77 e A*}) of resource behavior. If [((p,r]),S] e 
r(r) then T] is one of the possible traces over r that is performed by a sequence of sub-processes, 
whose labels % are juxtaposed in S. 

• An approximation *P e p({8 \ 8 is a sequence of pairs [(r, <p,Tj), 5]} of the resources which are 
possible locked by processes in deadlock for trying to access or to release a resource not in their 
scope. More precisely, if 8 is in *F and [(r, ^,rj),S] occurs in 8, then the resource r can be possibly 
acquired by a process that can be stuck and that therefore could not be able to release it. 

The judgments of the CFA are given in Tab. |2j which are based on structural induction of pro- 
cesses. We use the following shorthands to simplify the treatment of the sequences 8. The pred- 
icate [(r,q>, rj),x] e 8 is used to check whether the pair [(r, <p, rj),x] occurs in 8, i.e. whether 8 = 
8'[r,((p,rj),x]8". With ^{[(^(pjTj.a^S'J/IXr,^,!]),^]} we indicate that the pair [(r, <p,rj), S] is re- 
placed by [(r, (p, rj.a),S] in the sequence 8. With 8 \[(r,(p,rj),S] we indicate the sequence where the 
occurrence [(r, (p,rj),S] has been removed, i.e. the sequence 8'8", if 8 - 8'[(r,<p,rj),S]S" . 

All the clauses dealing with a compound process check that the analysis also holds for its immediate 
sub-processes. In particular, the analysis of IP and that of (vx)P are equal to the one of P. This is an 
obvious source of imprecision (in the sense of over-approximation). We comment on the main rules. 
Besides the validation of the continuation process P, the rule for output, requires that the set of names 
that can be communicated along each element of p(x) includes the names to which ;y can evaluate. 
Symmetrically, the rules for input demands that the set of names that can pass along x is included in the 
set of names to which y can evaluate. Intuitively, the estimate components take into account the possible 
dynamics of the process under consideration. The clauses' checks mimic the semantic evolution, by 
modelling the semantic preconditions and the consequences of the possible synchronisations. In the 
rule for input, e.g., CFA checks whether the precondition of a synchronisation is satisfied, i.e. whether 
there is a corresponding output possibly sending a value that can be received by the analysed input. The 
conclusion imposes the additional requirements on the estimate components, necessary to give a valid 
prediction of the analysed synchronisation action, mainly that the variable y can be bound to that value. 

To gain greater precision in the prediction of resource usages, in the second rule, the continuation 
process is analysed, for all possible bindings of the resource variable s. This explains why we have all 
the other rules for resources, without resource variables. 
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Table 2: CFA Equational Laws 
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The rule for resource joint point updates 8 to record that the immediate sub-process is inside the 
scope of the new resource and there it is analysed. If the process is empty, i.e. in the case the resource is 
available, the trace of actions is recorded in T(r). 

In the rule for resource request point, the analysis for Q is performed for every possible element 
[((p,rj),S] from the component T(r). This amounts to saying that the resource r can be used starting 
from any possible previous trace f] . In order not to append the same trace more than once, we have the 
condition that S does not contain X- This prevents the process labelled % to do it. Furthermore, 77 is 
enriched by the special action in(%) that records the fact that the resource r can be possibly acquired by 
the process labelled %. 

According to the rule for access action, if the pair [(r, (p,rj),S%] occurs in 8 (i.e. if we are inside the 
resource scope of r) and the updated history rj.a obeys the policy (p, then the analysis result also holds for 
the immediate subprocess and 8 is updated in 8', by replacing [(r,(p,r]),Sx] in 8 with [(r, <p, rj.a),Sx], 
therefore recording the resource accesses to r possibly made by the sub-process labelled by %. 

In case the action possibly violates the policy associated with r (see the last conjunct), the process 
labelled x ma y loose the resource r, as recorded by the trace in F, [((p,rj .err_out(x)),Sx]> wrtn the 
special action err_out(x) appended to rj. If instead, the action on r is not viable because the process is 
not in the scope of r, then all the resources in the context 8 could not be released, as recorded by the 
component *F. 

According to the rule for release, the trace of actions rj' = rj.(0.out(x) over r at X is recorded in 
r(r). Other sub-processes can access the resource starting from the trace rj'. Furthermore, [(r,(p,rj),S] 
is removed from 8 and this reflects the fact that the process Q can exit its scope, once released the resource 
r. Similarly, in the last rule, [(r, (p,rj),S] is removed from 8 and there the process Q is analysed. Again, 
if the action on r is not possible because the process is not in the scope of r, then all the resource in the 
context 8 could not be released, as recorded by the component x ¥. 

Example 3.1 We briefly interpret the results ofCFA on our running example. A more complex of exem- 
plification of CFA is given in the next example (see below). First we associate labels with the resource 
boundaries as follows: 

Tools ::- (hammer, (ph,e){0} Xl {(hammer, (pf l ,e){0} X2 \(mal I et,(p m ,e){0} X3 
Workers ::= \x(s).req(s) {hard-hit (s) } Xh \\y(t) .req(t){softJiit(s) } Xm 

It is easy to see that there is one policy violation, which is captured by our CFA in the component 
r(hammer), from which we can extract the following trace: (in(Xm)-err_out(Xm)-,Xm)- It occurs when 
doing the third job the worker tries to hit hard using a mallet. We know that the channel x (y, resp.) is 
supposed to send/receiving hard jobs (soft jobs, resp.), i.e. sending/receiving hammer (mallet, resp.) and 
names s and t are supposed to be bound to hammer and mallet respectively. By checking the component 
p and K, we can explain the above violation too. On the one hand, we found that p(t) is a singleton set 
of mallet, while p(s) is a set of hammer and mallet, which is a wrong bound of s. On the other hand, 
similarly we found that k(x) contains only hammer, while K(y) contains hammer and mallet, which is 
a wrong use ofy. 

Example 3.2 (Robot Scenario) We now consider a scenario, where a set of robots collaborate to reach 
a certain goal, e.g. to move an item from one position to another. Without loss of generality, we assume 
that robots operate in a space represented by a two-dimensional grid. We also assume that certain 
positions over the grid are faulty, and therefore they cannot be crossed by robots. To move the item, a 
robot needs to take it, and this is allowed provided that the item is co-located within the range of robot's 
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Figure 3: The initial configuration of the robot scenario. 




Figure 4: The policy automata of the robots' families: R\ (left), R2 (middle) and Ri, (right). 

sensor. Moreover, since robots have a small amount of energy power, they can perform just a few of steps 
with the item. Finally, we consider three families of robots (R\,R2 and R3): each robot in the family has 
different computational capabilities. 

Fig. \3\ gives a pictorial description of the initial configuration of the scenario. Positions are rep- 
resented by circles and double circles. Double circles indicate faulty positions. The item is located at 
position po and the goal is to move it into the position p%. There is just one faulty position p$, crossing 
through which is considered a failure. Moreover, we consider a scenario where the three families of 
robots R\,R2 and R3 are initially located at po, p? and pi, respectively (e.g. all the robots of the family 
Ri are located at pq). 

Sensors are modelled by clearly identified resources. The sensor j th of the i th robot family is specified 
by the resource (snsij,(pj,rjij), where snsij is the name of the sensor, r\ij is the abstract representation 
of the sequence of moving actions which led the robot from its initial position to the current one and 
initially equals to S, and (pj is the global policy on demand. We assume that each family of robots has 
its own policy described by the automata in Fig. |?] The policy constraints robots ' movement in the grid. 
We model the movement activities of robots with the following actions: E(sns), \N(sns), S(sns), and 
V\(sns) that describe the movements on east (west, south and north, resp.). Basically, sensors are a sort 
of private resources of the robots (each robot will never release its sensor) and the actions over sensors 
update their states. 

The item is modelled by a resource of the form (IT, <jp/, T]), where rj describes the sequence of actions 
performed on the item, and (JO/ simply states that the item is never located at the position p$. Initially, 
r\ is equal to £. The same set of actions adopted for robots' movement (namely E(IT), \N(IT), S(IT), 
and N(IT)) are exploited to transport the item in the grid. Finally, each robot in the family i 6 {1,2,3} 
is specified by a process Rjj of the form: (snsij,(pj,rjij){Qjj} x , where Qi j specifies the j ,h robot's 
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behaviour of the i robot family and % is a label associated with the resource boundary. For instance, in 
the process Q2.3 (see below), the robot goes to north (without the item), then it tries to grasp the item. If 
this operation succeeds, the robot goes to east and releases the item there. Note that we use two monadic 
actions to move the item and the sensor together. This could be done by using polyadic actions, which 
however we leave for future work. 

For the sake of simplicity, we do not model co-location of sensors and items. The specification of the 
robot scenario is given below. 

R1.1 :=(iiwi,i,fl>i,/Jo){'»«(/r){E(/r).E(jiwi i i).S(/r).S(jnJi,i).re/(/r)p»}«'» 
*i^:=(iMi,2,fl>, ) />o){re9(/r){E(/r).E(jnji i 2).E(/r).E(OTii i2 ).«/(/r)p»}*« 
R l3 :=(jnji, 3 ,fl>i,/>o){re9(/r){E(/r).E(jnji i 3).re/(/r)pi3}»,i3 

R 2 .i :=(s«i 2 . 1 ,^,/?3){re ? (/r){N(/r).N(OTi2,i)-E(/7 , ).E(sns 2 ,i)-'-e/(/r)} z '- 21 }^ 21 
R22-=(sns22,92,P3){reqllT){N(IT).Nlsns2 

R2.3 ■= (sns 2t 3,<lh,P3){NR(sns2,3).req(IT){E(lT).E(sns2a)-rei(IT)}X™^ 
R3.1 :=(OTi3j,^3,^ 7 ){re ? (/r){S(/r).S(sns3,i)-re'(/r)} z '- 31 }^ 31 
R32-=(sns 3 2,(P3,Pi){req(IT){N(IT).N( S n S 3 j2 ).rel(IT)}^2}Xm 

System- (IT,(p,,p Q ){0}^ || * M || R L2 \\ R h3 II *2,i II ^2,2 II *2,3 II * 3 ,i II ^3,2 

The following trace illustrates the behaviour of the specification of the scenario. At the beginning, the 
item lies in the range of the family of robot R\. Then a reconfiguration step putting together the robot 
R\ t \ and the item is performed. 

systems (/r^/.e)^}!!^!^,^^)^!^}!^^!^!^!^!^!^!^^ 

(^ 1>1 ,<p 1 ,e){(/r,<p / ,e){0}||eia}||^l,2||/?l,3||^2all^2,2||/?2,3||^3all^3,2 

As a result, robot R\ \ can grasp (acquire) the item; the pair item-robot moves on east, then on south. 
Finally, the robot disposes the item at the position p$. 

System ^ (snsi, u <PhPo){ (IT, p,, e) {Qi,i }| \Ri, 2 \ \R 2 , 1 1 \Ri,2 \ |/?3,i 1 1^3,2 

E(IT) S(IT) S(ms u ) rel(IT) 
> > > > > 

(/r,9/,e.£.5.re/){fl}||(msi ) i,9i,e.£.S){fl}|^i )2 |^2,i|^||/!3 ) i|^3,2 

It is easy, given an initial location, to map a sequence of actions performed over the item into a 
path on the grid, namely each action operated over the item (i.e. E(IT), \N(IT), S(IT), and N(IT)) 
corresponds to a single moving step in the space grid. The release action, instead, is interpreted as a 
sort of self-loop in the grid, i.e. the execution of the release action does not move the item. For example, 
the sequence e.E.S. in the above setting would model the path poP4P3- From now on, by abuse of 
notation, we will freely use paths in place of sequences of actions over the item/sensors. 

Now, the item is in the range of the family of robots R2- Again by applying the reconfiguration step, 
robot R21 is allowed to operate with the item. Then, it takes the item, makes a move on north, then on 
east, and disposes the item at the position p-j. For the sake of simplicity, in the following we show only 
sub-processes of the system that involve computation: 

(IT,( Pl ,p P4P3P3){0}\\R2,l 

x N(IT) N(sns 2 ,i) E(IT) E(sns 2A ) rel(IT) 
> > > > > 

(IT, <p/, P0P4P3P3P4P7P7 ){0}\\ (sns 2 , l,(p2, P3P4P1 ){0} 
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Note that a forced release would have occurred at this step if the item proceeded governed by the robot 
/?2,2- The reason is that R22 attempts to move the item into the position p$ and this results in releasing 
the item at the position p\ by the rule Policy2- Now the robot R32 has the chance to take the item, and, 
if the north move occurs, the goal is achieved and the task is completed. 

(IT, (PhP0PAP3PlP4PlPl){0}\\R?,2 
x N(IT) N(sns 3a ) rel(IT) 

(IT, (Pl,p P4P3P3P4P7PlP8PS ){0}\\ (sns 3a , (p3 , PlP% ) {0} 

Now we explain the features of the CFA. The CFA (in particular the T component) computes the set 
of possible traces of the trajectories in the grid reaching the goal, among which the ones below: 

in(Xrn)-ES.rel.out(x r n)MXr2i)-N.E.rel.out(x r 2i)-in(Xr32)-N.rel.out(x r 32),Xrn-Xr2i-Xr32 
in(Xrn)-E.E.rel.out(Xru)-in(Xr32)-N.rel.out(Xr32)-,Xr\2-Xr32 

in(Xri3)-E-rel.out(x r i3)-in(Xr23)-E.rel.out(x r 23)-in(Xr32)-N.rel.out(x r 32),Xri3-Xr23-Xr32 
in(Xr\\)-E.S.rel.out(Xr\\)-m(Xr22)-N.err_out(Xr22)-in(Xr23)-E.rel.out(Xr23^ 

This set produces the following sequences of positions: PoP4P3P3PaPi Pi P&Ps, PoP\PiPiP%P%, and 
also pqPaPaPiPip%p% and popAP3P3P4P4Pipip%p%. Note that the last trace is faulty (e.g. traces contain 
error actions errjout, see below) since it contains a forced release err _out (#2,2) ($ ee below). Conse- 
quently, the system does not respect the policy (pirfar the item. In particular, there are three faulty traces 
found by the analysis, which have the following common prefix: 

in(Xri 1 ) E .S.rel.out (% rX i).in (x r ii ) -N .out _err(x r 22 ),Xm -Xrii 

The reason is that the robot R2 2 is forced to release the item when attempting to move it into the bad 
position ps. Moreover, there is no faulty trace of actions over sensors, which means the system respects 
the policies (pijfor sensors and therefore complies with it. 

The analysis provides us with an approximation of the overall behaviour of the analysed process. 
Moreover, it is proved to be correct: the analysis indeed respects the operational semantics of G-Local 
^-calculus, as shown by the following subject reduction result. 

Theorem 3.3 (Subject Reduction ) (p,K,T,y) l= 5 P and P ^ P', then (p , K,T, y) l= 5 P'. 

We can further prove that there always exists a a least choice of (p , k, F, y) that is acceptable for 
CFA rules, and therefore it always exists a least estimate. This depends from the fact that the set of 
analysis estimates constitutes a Moore family. 

Theorem 3.4 (Existence of estimates) For all 8,P, the set {(p, K,F, y)\(p, K,F, y) l= 5 P} is a Moore 
family. 

Moreover, our analysis offers information on the resource usage, included bad usages. The compo- 
nent T is indeed in charge of recording all the possible usage traces on each resource r. Actually, for each 
r, traces are composed of pairs [(0, J] where S is made of labels of the processes that acquired the 

resource r and r\ records every action on r, included the special actions in(x), out(x) and err_out(x), 
that indicate that the process labelled x ma y acquire and release (or it may be forced to release) the 
resource. This information offers a basis for studying dynamic properties, by suitably handling the safe 
over-approximation the CFA introduces. We want to focus now on the traces including special error 
actions, that we call faulty. 
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Definition 3.5 A trace rj e A* is faulty if it includes err_out(%) for some % £ C. 

In particular, on the one hand if the analysis contains faulty traces, then there is the possibility of 
policy violations, while if all the traces are not faulty, then we can prove that policy violations cannot 
occur at run time, and therefore that the processes correctly use their resources. 

We can show it formally, as follows. 

Definition 3.6 The process P, where r is declared with policy <p, P complies with (p for r, if and only if 

P * i n i a ( r ) // <" * 

P —> P implies that there is no P such that P -*■ P , where — > is the reflexive and transitive closure 

of->. 

Definition 3.7 A process P, where r is declared with policy (p, is said to respect (p for r, if and only if 

3 (p , K, T, W) . (p , K, T, y) [e ' e] /> and V [ ( (p, r\ ) , 5] e T(r) . r] is not faulty 
Theorem 3.8 IfP respects the policy q> for r then, P complies with (p. 

4 Concluding Remarks 

Our work combines the name-passing of the 7T-calculus with the publish-subscribe paradigm to cope 
with resource-awareness. We have shown that this has lead to a name passing process calculus with 
primitives for acquiring and releasing stateful resources. Our research program is to provide formal 
mechanisms underlying the definition of a resource-aware programming model. The work reported in 
this paper provides a first step in this direction. There is a number of ways in which our calculus could be 
extended. In terms of calculus design, we assumed a monadic request primitive for managing resource 
binding. This is a reasonable assumption for several cases. An interesting issue for future research is to 
extend the calculus with a polyadic request primitives asking for a finite number of resources. In terms 
of reasoning mechanisms, it would be interesting to exploit CFA techniques to develop methodologies 
to analyze the code in order to avoid bad accesses to resources. Also it would be interesting to apply the 
typing techniques (behavioral types) introduced in [3] to capture a notion of resource contract. 
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